WinGate Forums

[Talicada]

Firefox has some problems in regards to using self signed certificates. Anyone know a way around this?

[adrien]

Hi

Firefox uses its own cert store, rather than the windows cert store, so you need to install the signing certificate into it to get it to stop nagging about spoofed certs from the proxy.

Regards

Adrien de Croy

[Talicada]

Done that, however with FF 33+ they disabled certs with rsa < 1024 from being used. This may have somehow affected the certificates.

Test for yourself because a lot of other people around the web have been complaining about Firefox's handling of this..

[adrien]

ok

the root of any cert chain is necessarily a self-signed cert, so it won't be that issue if it's moaning about the signer cert.

Is this one generated in WinGate? Or did you import e.g. from your AD CA services (in which case maybe you can generate a new one?)

I think even RSA is being deprecated lately.

Regards

Adrien

[Talicada]

Yes it was created by WinGate as I see this to be easier.

[adrien]

You can increase the key length in certs you generate in WinGate.

Just need to make sure you choose "encrypt certificate" at the bottom... not sure even why it's called that, since it relates to the private key rather than the cert.

Adrien

[Talicada]

Did that and nothing has changed in Firefox. Error is " (Error code: sec_error_extension_value_invalid) " and now Chrome is giving a error about HSTS

[adrien]

Yeah if you go to any site that uses HSTS, then if there is any cert warning, you can't proceed.

Which version of WinGate are you using?

Did you keep the old signing cert? You can just generate any number of them, and choose between in the WWW proxy properties.

I'll need to do some research to see what sec_error_extension_value_invalid means, certs have extended attributes, maybe something was wrong. Can you view the cert and does it then give you any more information about what it doesn't like about the cert?

Regards

Adrien

[Talicada]

My server is using 8.3.4

Old signing cert? I generated a new certificate an hour ago.

This is the error that I get from just trying access facebook

Code: Select all

Subject: *.facebook.com
Issuer: DO_NOT_TRUST_FiddlerRoot (For this bit I just used an issuer that I knew had worked before)
Expires on: 14 Oct 2015
Current date: 9 Jul 2015
PEM encoded chain: -----BEGIN CERTIFICATE-----
MIIDvTCCAyagAwIBAgICBLAwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMx
EDAOBgNVBAoTB0ZpZGRsZXIxDTALBgNVBAsTBEhvbWUxITAfBgNVBAMUGERPX05P
VF9UUlVTVF9GaWRkbGVyUm9vdDAeFw0xNTA0MTAwMDAwMDBaFw0xNTEwMTQxMjAw
MDBaMGExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTWVubG8g
UGFyazEXMBUGA1UEChMORmFjZWJvb2ssIEluYy4xFzAVBgNVBAMMDiouZmFjZWJv
b2suY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDX2npsOTEuM+1A9BMu
EOkcB+CslrHoLauKp4GmI4ZriugiSXfJ537Pp9WzrOk3FHrkB6VZGQhZpbdxkgSK
xyXu6m0tPStSbvVnRrdaKUjGpimgF4IPJS05JJQWMVAiDtF6OlK7ELUTWQEnPfJ9
ql99SmcKJoZkcGUy+NwmTOqgFQIDAQABo4IBkjCCAY4wgbcGA1UdEQSBrzCBrIIO
Ki5mYWNlYm9vay5jb22CDGZhY2Vib29rLmNvbYIIKi5mYi5jb22CBmZiLmNvbYIL
Ki5mYnNieC5jb22CCyouZmJjZG4ubmV0gg4qLnh4LmZiY2RuLm5ldIIOKi54eS5m
YmNkbi5uZXSCDioueHouZmJjZG4ubmV0ghAqLm0uZmFjZWJvb2suY29tgg8qLm1l
c3Nlbmdlci5jb22CDW1lc3Nlbmdlci5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQi
BCCivbhhgNfV2XZCmrDJq1HU63Ka7tmw+f9s0LNdnLZxSzAuBgNVHSMEJzAlgCBP
lHcVK1UHI/VFBO3YT5tJO4vTi1kY+5RtnKV5FOud/IIBADA6BggrBgEFBQcBAQQu
MCwwKgYIKwYBBQUHMAKGHmh0dHA6Ly93aW5nYXRlL2dldGNlcnQ/Q2FjaGluZzAN
BgkqhkiG9w0BAQsFAAOBgQBDLLsuw3syFSPRLLEOgjyyu28Ur5f3USdfqAGjIuM2
XGRI+3mRkId28eA/kAVwQKDJ6kNkeMtzwWHXYnKVbSikySbSN5HFFjYanlCkvRfp
MMefPzWCXaU5/jevU8Cbms95JVfbeEvL477v+pb1VmrKlsbYD0L0OBs1Rp7l1vvm
PQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICWTCCAcKgAwIBAgIBADANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRmlkZGxlcjENMAsGA1UECxMESG9tZTEhMB8GA1UEAxQYRE9fTk9U
X1RSVVNUX0ZpZGRsZXJSb290MB4XDTE1MDcwODE0MDAwMFoXDTE4MDcwNzE0MDAw
MFowUTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0ZpZGRsZXIxDTALBgNVBAsTBEhv
bWUxITAfBgNVBAMUGERPX05PVF9UUlVTVF9GaWRkbGVyUm9vdDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAvtC5eC3tfZga1es3r36DD/P03FbCKsKD722LTs8l
fh+vhJBWHuAWGWdM4xavkjcTcHhkq52jLvNwUipL4VwMjgqfSrvAEtYZdwCNIlIn
dBUEIUNqaVgs62OW8s1aNLeEbhVeg6wVFwbMikSmRzW9oX6z5PuINt02lmraxc8r
1m8CAwEAAaNBMD8wKQYDVR0OBCIEIE+UdxUrVQcj9UUE7dhPm0k7i9OLWRj7lG2c
pXkU6538MBIGA1UdEwEB/wQIMAYBAQECAQAwDQYJKoZIhvcNAQELBQADgYEAQMXI
Vlsk/s2Vh8QTwxDenZjUBaXD+NomgRZmogu822sYtgrjZRAtoABOGXXYL/o0Jd9g
gkOs7np33kAbDX9OQfQZpEQDhS+Y744i4eZJOjmHCXOEYeZYT9eZXonE6U01MhQ1
sh0dZ2lTXu4KMf+6lVPmDummf4InPg/x50osgKo=
-----END CERTIFICATE-----

[adrien]

sorry, I meant the prior one that didn't give you the HSTS issue with Chrome (you'll need to add the new signer cert to the windows store to get past that issue).

I checked through the code we use to generate certs. Mostly the attributes come from the source (server) certificate, although we have to hook it up to the signer cert.

The code looks ok, it uses 1024 bit RSA keys for the private/public key on the spoofed cert, so RSA key length shouldn't be an issue.

Unless FF can be more specific about what attribute it didn't like it's hard to know how to proceed... maybe someone at mozilla can give an idea about how to get more info out of FF?

I'll see if I can make anything of that cert chain you posted.

Cheers

Adrien

[Talicada]

I had overwritten that one, so I decided to create another one and it works perfectly except with firefox. How do you think I should show the necessary info to you?

[adrien]

Hi

does this happen on all https sites? I found a Mozilla document about requirements for certs.

https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix

If ou go directly to facebook, you get a ECDHS key, but when we spoof it, it's then an RSA key. Point 8 in the mozilla doc says RSA keys should include an attribute in their KeyUsage extension, but we just copied that (and BasicConstraints) one from the source cert.

So this could be the problem.

So I would expect if this is the cause of the problem, then other sites using RSA certs may not show this problem in FF.

Adrien

[Talicada]

On most popular websites it does, on some not well known it does. It does on cloudflare. Essentially all websites that use HSTS.

With Firefox, it just doesn't want to import a certificate so it could be a bigger issue or it just doesn't allow self signed certificates.

[adrien]

If you look in your windows cert store, you'll find all the trusted root certs are self-signed. That's what makes a cert a root cert - the fact that it wasn't signed by some other cert (which would make it an end or intermediary cert).

So I don't think it's the fact of it being self-signed. Probably missing the same attribute in the KeyUsage field. You may be able to get a cert from your AD CA service and import that as the signer cert.

Adrien

[adrien]

Hi

could you try just going to https://secure.qbik.com

That has an RSA key, and KeyUsage has the keyEncipherment option set in it, which should carry through to the spoofed cert. If FF works through your https-inspecting proxy to that site, that should give us a pretty clear indication.

Regards

Adrien

[adrien]

looks like we can repro the problem here.

I think even with going to a site with an RSA key, if the signer cert isn't also ok you'll still see problems.

I'll have a bash at fixing it tomorrow.

Regards

Adrien

[Talicada]

I tried https://secure.qbik.com/ and the same error occured.

I'm working on Windows Server AD CA at the moment, attempting to figure out how it works.

[adrien]

HI

I did a bit of work on our cert generation code which is used to generate the certs used for signing the spoofed certs. It wasn't setting the keyUsage attribute. Once I got that attribute set, and imported that new cert, I was then able to intercept https traffic with FF to sites using SSL certs that use RSA private keys.

Next step is to solve that problem, but I think it proves we're on the right track.

So even if you manage to get another cert generated that is entitled to sign certs, you'll still find problems accessing websites that use certs with different types of private key. We should be able to have this problem licked by mid next week.

Regards

Adrien de Croy

[adrien]

Hi again

actually I just tried facebook, and was surprised to find that it actually worked as well. Obviously there was enough in the copied attributes to satisfy FF.

So I could do you a build earlier if you would like to test. Or if you can get a cert from somewhere else, that has keyUsage set properly and import that you should be good.

Adrien

[Talicada]

It would better to test it yes, just in case something is missed and you release a buggy version to the public.

[adrien]

Hi

we released 8.4. today which contains the fix. You will need to generate a new signer certificate unfortunately and deploy it to clients.

Regards

Adrien de Croy